The Federal Deposit Insurance Corporation issued a Financial Institution Letter (FIL) reminding its member banks with less than $1 billion in total assets to account for the risk posed by the use of technology service providers in the event of a cessation of operations or data breach.

FIL-19-2019 recounts that examiners have noted in recent FDIC reports of examination that some financial institution contracts with technology service providers do not adequately define rights and responsibilities regarding business continuity and incident response or provide sufficient detail to allow financial institutions to manage those processes and risks.

The FDIC cautions that such contracts should require the service provider to maintain a business continuity plan, establish recovery standards and define contractual remedies if the service provider misses a recovery standard.

Such agreements with fintech companies should also sufficiently detail the technology service provider’s security incident responsibilities such as notifying the financial institution, regulators, or law enforcement.

The FDIC also noted that Section 7 of the Bank Service Company Act obligates its member banks to notify it of contracts or relationships with technology service providers that provide certain services, including check and deposit sorting and posting, computation and posting of interest, preparation and mailing of checks or statements and other clerical, bookkeeping, accounting, statistical or similar functions such as data processing, internet banking or mobile banking services.

The FDIC has developed an optional form to allow its member banks to make this notification.